|
>>If your password is short...adding an easily (more than you >>would suspect) guessed/discoverable pattern to it, won't >make >>it more secure. > >It won't hurt either.
Yes it does. Because it leads you to believe that you're more secure than you really are. Example, Cloud-based Password Manager company sends out a note saying they were compromised, hackers got all the vaults, and they recommend changing any stored secrets. But you go, nah...I got my secret thing I do with my passwords, so I'm good.
No, that's how you get got. Like i said before, there are programs that can be scripted to handle the password routine you've described...probably a dozen py scripts on github that tackle this.
just make a longer passphrase / long complex password.
>But the most important thing is using random passwords that >are sufficiently long - I do use the password manager to >generate those.
This is the way.
>Most sites will allow 12-14 characters for the password. Make >sure you include A-Z, 0-9, and symbols (!@#$%) if allowed and >multiple of each if possible. The length is more important >that the characters.
There's an "old infosec-wives-tale" that there's a cutoff where once you get past a certain number of characters, complexity rules don't matter (I mean if it takes 100 years vs 100000000 years...does it really matter if I force you change your password every x months). Of course, we have to re-evaluate this notion every new crop of GPUs that come out (and this reminds me that I need to revisit our policy)
>Also make sure your second factor is secure. If they get >control of your email address and a factor that can be used is >email then you're toast.
yubikey or authenticator app (with backup keys/device). Email gets compromised too easily(see:yahoo...yesteryear's gmail...for folks chuckling at yahoo)
>My thinking: > >^gK*9$sdvD&6Uo is a better password that MyP@ass11. >PersonWomanManCameraTVIsHeFuckingKiddingMe is a better >password than ^gK*9$sdvD&6Uo. (Or maybe they are equal.)
yup...the longer passphrase would be better (just keep in mind AI predicting what words come next in a passphrase...so don't be too predictable) >Goo-^gK*9$sdvD&6Uo-1 is better than ^gK*9$sdvD&6Uo. (Or maybe >they are equa but it can put the posters mind at ease.)
No no no...false sense of security. worse. it makes you not take actions that you should take when notified of a breach. Otherwise, what is this "peace of mind"? that you don't have to do anything when you hear a service you used was breached? not good.
>Goo-easypass-1 is worse than ^gK*9$sdvD&6Uo.
...and this is why these routines are bad ideas, because someone is going to try Goo-easypass-1 (just like folks used P@ssw0rd!...cuz it's complex). And when that password gets cracked, the attacker is going to go, "oh, this is what folks are doing...let me alter my script". And now Goo-^gK*9$sdvD&6Uo-1 is just as easily cracked as gK*9$sdvD&6Uo, since I know what the pattern is...you may have set back the cracking effort by weeks, maybe even months (since I have to try combinations of different schemes folks come up with)...but no where near as long if you just went with a proper long and complex password.
>Edit: https://bitwarden.com/password-strength/ > >Take this with a grain of salt. NIST (National Institute for Science and Technology) SP 800 series focuses on cyber/information assurance and is what federal agencies and folks that interact with federal systems / data follow (and even if you don't, are good guidelines to follow).
NIST SP 800-63 has guidance on passwords/authenticators. Providing users with the relative strength of their passwords is a recommendation of theirs, so it is great to see bitwarden has a webtool that does this. ~~~~~~~~ A bad Samaritan averaging above average men (c) DOOM
|